Free AWS DOP-C02 Actual Exam Questions - Question 15 Discussion
In an Amazon S3 bucket All data Is encrypted with AWS Key Management Service (AWS KMS)
customer managed keys. All AWS resources are deployed from an AWS Cloud Formation template.
A DevOps engineer needs to set up a development environment for the application in a different
AWS account The data in the development environment's S3 bucket needs to be updated once a
week from the production environment's S3 bucket.
The company must not move Pll from the production environment without anonymizmg the Pll first
The data in each environment must be encrypted with different KMS customer managed keys.
Which combination of steps should the DevOps engineer take to meet these requirements? (Select
TWO )
This seems like a good case for A and D. The Step Functions can do the PII redaction and copying with proper KMS permissions, while EventBridge can schedule the workflow weekly in the dev account.
C/E? Batch Operations can handle copying at scale, and Lambda redacts PII before access in dev. Scheduling with EC2 cron keeps it automated without added complexity.
Maybe C and E. C uses Lambda for redaction, which fits anonymizing needs, and E schedules the batch job regularly. This combo handles encryption keys separately and automates the weekly update cleanly.
C/E maybe? Lambda can handle redaction and batch jobs can automate copying.
D makes sense to automate weekly sync; E could handle batch copying and redaction timing.
Maybe A and D. A covers PII detection and redaction using Macie and Step Functions, plus proper KMS permissions. D handles setting up the dev environment and automating the weekly sync with CloudFormation and EventBridge.
A/D? A looks good since Macie can find and redact PII before copying, and giving decrypt/encrypt perms on both KMS keys makes sense. D fits because you need to set up the dev environment with CloudFormation and automate the weekly process with Step Functions triggered by EventBridge. The key parts are anonymizing PII before it hits dev and using separate KMS keys, so this combo seems solid. Other options don’t seem to adequately cover both anonymizing and scheduling with proper KMS permissions.